Wildfires across the west, hurricanes in Florida and the Gulf Coast, and floods, tornadoes and windstorms in other years have all presented threats to the security of protected health information (PHI). Both electronic and non-electronic PHI can be lost, damaged or destroyed in a natural or man-made disaster or emergency. Advance planning – a contingency plan – can prevent those losses.
Contingency plans tend to get put off because unless you live in the path of seasonal hurricanes or near vulnerable forests, disasters seem remote. But a simple power outage or a burst pipe that floods your facility can cause system failure and loss of data. Ransomware is another business interruption which could trigger the need for a contingency plan. Natural and manmade disasters occur with increasing frequency today, and can strike anywhere.
A Contingency Plan Helps Manage Risk
We write often about the importance of Risk Analysis – Risk Management for HIPAA compliance. We write about it because it is the single most important thing a covered entity or business associate can do for a quality HIPAA compliance program. When done right, it greatly reduces risks to the privacy and security of protected health information (PHI). Unfortunately, too many organizations are not doing Risk Analysis, or not doing it fully, which leads to avoidable losses and breaches, and in some cases, costly fines for non-compliance.
To help with the details of Risk Analysis, last week we took a deep dive into business associate due diligence, and the week before that the IT asset inventory, both of which are required in a full HIPAA Risk Analysis. This week we will discuss contingency planning.
HIPAA Requires a Contingency Plan
Covered entities and business associates must have “Administrative, Physical and Technical Safeguards” to ensure the confidentiality, integrity, and security of electronic PHI they create, receive, maintain or transmit.
A contingency plan is one of the Administrative Safeguards required. The plan must have policies and procedures for responding to an emergency that damages systems or physical locations containing PHI.
You cannot buy one off the shelf and you won’t find one pre-written online. The right one is tailored specifically to your own organization and flows from your own policies, how you’re organized and staffed, and where you’re located. It should not be borrowed from another discipline, because HIPAA requirements are specific to HIPAA law.
The U.S. Department of Health and Human Services (HHS) says:
- A contingency plan is the only way to protect the availability, integrity, and security of data during unexpected negative events, AND
- The contents of any given contingency plan will depend upon the nature and configuration of the entity devising it.
The Contingency Plan Creates a Roadmap of Actions During an Emergency
The first task during an emergency is ensuring that data is backed up. Offsite data backup, in a way that’s unconnected to the central system, is a best practice under HIPAA for other reasons too. It is the best defense against ransomware since it prevents cyberthieves from taking data out of your reach and demanding ransom to get it back.
Other tasks include setting up alternate facilities, ensuring power backup, contacting workforce, checking supplies and services provided by others, e.g., business associates or subcontractor business associates. All the tasks are organized in the contingency plan so you know what to do.
Key HIPAA Policies and Procedures Required in a Contingency Plan
The source for the following list of policies is both the HIPAA Privacy and Security Rules. These “implementation specifications” create Administrative, Physical and Technical Safeguards to protect PHI. Another source used by The HIPAA E-Tool® is the HHS Assistant Secretary for Preparedness and Response Technical Resources Assistance Center, or ASPR TRACIE.
Note that some are “required” and some are “addressable”. But “addressable” does NOT mean “optional”. HIPAA is flexible, and recognizes that organizations complying with HIPAA are different sizes and types, with different structures and facilities. If a HIPAA specification is “addressable” it means an organization must evaluate whether it is a reasonable and appropriate safeguard to protect PHI in its own specific environment. If it is not reasonable and appropriate, but an alternative method would help, the alternative may be used. A stand-alone medical practice with one or two physicians will evaluate what it needs differently from a large health system, or an assisted living facility or home health care organization.
Administrative Safeguards:
- Contingency Plan (required)
- Data Backup (required)
- Disaster Recovery Plan (required)
- Emergency Mode Operation Plan (required)
- Testing and Revision Procedure (addressable)
- Applications and Data Criticality Analysis (addressable)
Physical Safeguards:
- Facility Access Controls (addressable)
- Device and Media Controls (addressable)
Technical Safeguards:
- Emergency Access Procedures (required)
The contingency plan should also include special procedures required by the organization’s specific nature and circumstances. Special procedures may include:
- Contact information for workforce members, business associates and others who would be involved in implementing the contingency plan if necessary;
- Cross training workforce members to cope with absences due to an emergency;
- Identifying alternative delivery sites where services may be provided if one or more of locations is unusable; and
- Identifying alternative sources for the provision of essential services, equipment or products in case a business associate or a (non BA) independent contractor is unable to provide the services, equipment or products.
Training workforce members in the contingency plan is also necessary, as is occasional testing or exercises. Make sure key management and leadership have copies so it’s available to them at all times. You might consider placing the contingency plan document in a secure off-site location so that it remains available if the facility is damaged. The contingency plan should be reviewed and, if needed, revised annually. Finally, everything done on a contingency plan must be documented. Save all the work, including evaluations, evidence of training and any exercises conducted.
The HIPAA E-Tool® Understands Contingency Plans
The HIPAA E-Tool®‘s easy-to-use planning template helps you create the exact contingency plan for your organization’s specific needs, no matter what type, whether you face fire, hurricane, tornado, or any other unexpected emergencies.